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ABSTRACT 


The  hazards  associated  with  the  critical  flight  phases  of 
civil  as  well  as  military  flight  operations  can  seriously 
degrade  pilot  efficiency,  and  therefore  aircraft 
survivability,  if  the  number  or  complexity  of  tasks  that  the 
pilot  must  manage  exceeds  his/her  capabilities.   This  thesis 
explores  the  feasibility  of  applying  artificial  intelligence 
(AI)  research  to  the  construction  of  a  Survivability  Manager 
( SM )  knowledge  based  system  ( KBS )  that  will  assist  the  pilot 
by  assuming  a  portion  of  the  survivability  task  management 
load.   The  application  of  KBS  principles  to  survivability 
management  is  illustrated  using  the  normal  and  emergency 
management  procedures  for  a  hypothetical  engine  fuel  supply 
system  as  a  working  example.   Though  the  SM  is  not  a  reality 
today,  there  is  considerable  research  in  both  AI  and 
survivability  enhancement  studies  to  draw  upon.   It  is 
recommended  that  a  prototype  be  developed  using  currently 
available  assets  to  further  investigate  the  feasibility  of 
the  Survivability  Manager. 
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I.  INTRODUCTION 

This  thesis  is  concerned  with  the  feasibility  of  using 
artificial  intelligence  to  assist  the  pilot  in  the  management 
of  aircraft  survivability  design  features  and  equipment. 
Specifically,  the  intent  is  to  propose  the  development  of  a 
Survivability  Manager,  capable  of  partially  or  fully 
autonomous  control,  for  both  civil  and  military  aircraft.   In 
order  to  make  the  following  discussion  meaningful,  several 
terms  must  first  be  (re)defined. 

The  aircraft  combat  survivability  discipline  has 
developed  a  vocabulary  based  upon  a  man-made  hostile 
environment.   Those  familiar  with  this  field  will  find  that 
several  of  these  terms  have  been  broadened  in  context  here  to 
include  their  application  to  civil  aircraft.   Aircraft  combat 
survivability  is  defined  as  "the  capability  of  an  aircraft  to 
avoid  and/or  withstand  a  man-made  hostile  environment" 
[Ref . 1 :  p.  1].   If  the  term  survivability  is  expanded  to 
include  flight  safety  in  general,  it  could  be  defined  as   the 
capability  of  an  aircraft  to  avoid  and/or  withstand  a 
hazardous  situation.   Similarly,  susceptibility  is  now 
interpreted  as  the  inability  of  an  aircraft  to  avoid  a 
hazardous  situation,  and  vulnerability  as  the  inability  of  an 
aircraft  to  withstand  a  hazardous  situation.   A  hazardous 
situation  is  one  or  more  adverse  conditions  that,  by  design 


or  by  chance,  have  the  potential  to  degrade  flight 
performance.   Flight  performance  degradation  is  measured  by 
the  extent  to  which  components,  designed  to  provide  that 
performance,  are  functionally  degraded. 

It  is  recommended  that  readers  who  are  not  familiar  with 
survivability  concepts  review  the  glossary  provided  within 
this  document.  Those  desiring  a  more  detailed  presentation  on 
aircraft  combat  survivability  are  referred  to  Ball  [Ref .  1]. 
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II.  BACKGROUND  :  PROBLEM  DEFINITION 

Since  its  early  development,  the  aircraft  has  had  to 
operate  under  less  than  ideal  circumstances.   Even  today's 
super-sophisticated  designs  are  subject  to  the  ravages  of 
defective  workmanship,  poor  maintenance,  bad  weather,  human 
error,  in-flight  obstacles,  and  other  aircraft.   Military 
aircraft  must  withstand  man  made  hazards  as  well;  hazards 
specifically  designed  for  the  destruction  of  aircraft.   There 
are  important  distinctions  between  civil  and  military 
hazards,  but  the  pilot's  primary  responsibility  in  either 
case  is  to  ensure  that,  in  spite  of  any  adverse  conditions 
encountered,  the  flight  is  safely  concluded.   This  chapter 
will  explore  the  nature  of  these  hazards,  and  provide  some 
measure  of  the  trained  professional  pilot's  ability  to  cope 
with  them. 

A.   CIVIL  AIRCRAFT  HAZARDS 

The  general  decline  in  the  number  of  accidents  per  flight 
hour  experienced  by  civil  aircraft  in  the  last  decade  is  a 
direct  result  of  the  intensive  training  and  sophisticated 
equipment  currently  available  to  pilots,  air  traffic 
controllers,  and  other  support  personnel.   These  impressive 
statistics  notwithstanding,  there  is  always  room  for 
improvement.   Specifically,  the  relatively  high  proportion  of 
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mishaps  resulting  from  human  error  still  gives  excellent 

incentive  to  take  every  conceivable  effort  to  reduce  them. 

An  analysis  of  the  hazards  these  aircraft  encounter  is  the 

first  step  in  any  such  effort. 

1 .   Mishap  Statistics 

Each  year  the  National  Transportation  Safety  Board 

(NTSB)  reports  statistics  concerning  aviation  related 

accidents  that  occur  within  its  jurisdiction.   The  NTSB 

defines  an  accident  as  an  occurence  incident  to  flight  in 

which: 

"as  a  result  of  the  operation  of  an  aircraft,  any 
person  (occupant  or  nonoccupant)  receives  fatal  or 
serious  injury  or  any  aircraft  receives  substantial 
damage. "  [Ref .  2: p.  80] 

The  NTSB's  latest  synopsis  covers  the  period  from  1975 

through  1984  [Ref.  3].  Although  rates  (number  of  accidents 

per  100,000  flight  hours)  and  even  numbers  of  accidents  have 

generally  fallen  since  1978,  there  are  still  too  many.   The 

safest  year  in  recent  civil  aviation  history  was  1984,  yet 

there  were  173  accidents  involving  revenue  producing  flight 

operations,  resulting  in  103  fatalities.   Revenue  producing 

operations   include  airlines,  commuters,  and  on-demand  air 

taxis.   The  statistics  also  reveal  2999  general  aviation 

accidents  in  1984,  with  998  fatalities.   General  aviation 

operations  refer  to  private,  non-revenue  producing,  flying. 

The  number  and  rate  for  this  category  are  much  higher,  due, 

among  other  factors,  to  the  enormous  number  of  general 
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aviation  aircraft.  Unofficially,  1985  has  already  surpassed 
these  figures,  and  is  recognized  as  one  of  the  worst  years  in 
recent  civil  aviation  history  [Ref.  4:p.  1]. 

2 .  Accident  Causes/Factors 

In  an  effort  to  identify  trends  and  significant 
problem  areas,  the  NTSB  reports  all  probable  cause(s),  as 
well  as  any  related  factors,  for  each  accident.   Factors  are 
those  elements  of  an  accident  that  further  explain  or 
supplement  the  probable  cause(s).   These  cause/factor 
elements  may  be  grouped  into  three  general  categories: 

1)  Environmental  extreme. 

2)  Material  failure. 

3)  Human  error. 

Environmental  extremes  include  micro-bursts,  wind  shear, 
turbulence,  low  visibility,  hail,  birds,  and  wet  runways. 
Cyclic  fatigue,  brittle  fracture,  electrical  malfunction,  and 
fluid  seal  rupture  are  all  examples  of  material  failures. 
Human  errors  are  procedural  and  judgemental  errors  on  the 
part  of  the  designer,  manufacturer,  pilot,  air  traffic 
controller,  weather  briefer,  maintenance  and  service 
personnel,  and  any  others  directly  or  indirectly  responsible 
for  flight  safety.   Of  all  the  causes/factors  listed,  pilot 
error  is  cited  most  often. 

3 .  Critical  Flight  Phases 

In  reviewing  accident  statistics,  it  soon  becomes 
apparent  that  there  are  operational  flight  phases  which  are 
more  hazard  intensive  than  others. 
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According  to  the  NTSB  [Ref.  2],  the  five  general  flight 
phases  are: 

1)  Static  -  aircraft  immobile  on  deck,  engines  idle 
or  secured. 

2)  Taxi  -  to  takeoff  or  from  landing. 

3)  Takeoff  -  run,  abort,  initial  climbout. 

4)  In  Flight  -  climb  to  cruise,  normal  cruise, 
descent . 

5)  Landing  -  approach,  touchdown,  roll  out,  missed 
approach. 

For  the  1976-1981  period  the  NTSB  reported  that  U.  S.  air 

carriers  sustained  58%  of  their  accidents  while  in  the 

takeoff  or  landing  phases. 

4 .   Hazards  of  Success 

The  capabilities,  availability,  and  popularity  that 
the  aircraft  has  gained  in  the  past  eighty  years  has  made  it 
indispensable  to  modern  civilization.   It  is  ironic  that  this 
success  has,  in  a  sense,  increased  the  opportunity  for 
mishap.   Aircraft  have  become  bigger,  faster,  and  more 
numerous ,  and  each  of  these  advantages  has  a  corresponding 
disadvantage . 

a.   Aircaft  Size 

The  first  commercial  flight  service  was  in  1919, 
between  London  and  Paris.   The  aircraft  carried  a  maximum  of 
four  passengers.   Today,  'jumbo  jets'  carry  up  to  five 
hundred  passengers  from  New  York  to  Tokyo,  nonstop.   These 
behemoths  weigh  over  400  tons  and  span  almost  200  feet,  wing 
tip  to  wing  tip.   That  is  too  many  people  with  too  much 
inertia  to  expect  favorable  results  in  a  mishap. 
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b.  Flight  Speed 

History's  first  fatal  accident  in  a  powered 
aircraft  occurred  in  1908.   Lieutenant  Thomas  Self ridge  was 
killed  as  a  result  of  a  biplane  crash,  of  which  he  was  the 
passenger.   The  pilot  was  Orville  Wright.   The  top  speed  of 
the  craft  was  almost  45  miles  per  hour,  apparently  fast 
enough  to  kill. 

Today,  supersonic  transport  (SST)  air  carriers  cross  the 
Atlantic  at  Mach  two  plus.   More   commonly,  large  subsonic 
transports  cruise  at  about  Mach  point  eight,  which  is  roughly 
one  thousand  feet  per  second.   The  obvious  hazard  of  an 
irresistible  force  meeting  an  immovable  object  is  compounded 
by  1)  the  limited  reaction  time  available  to  prevent  it  and 
2)  the  possibility  that  the  pilot  is  not  even  aware  of  the 
hazard. 

c.  Traffic  Density 

The  number  of  IFR  flights  handled  by  the  Federal 
Aviation  Administration  (FAA)  Air  Route  Traffic  Control 
Centers  (ARTCC)  has  increased  from  20.6  million  in  1969  to 
31.6  million  in  1984.   The  FAA  forecasts  the  number  to  rise 
to  45.3  million  in  1996  [Ref.  5:p.  1].   The  total  number  of 
aircraft  actually  in  the  air  is  even  greater,  due  to  the  VFR 
traffic  that  is  not  handled  by  the  ARTCC.   In  1984,  the  FAA 
recorded  42.9  million  IFR  flight  hours,  which  reduces  to  an 
average  of  4,897  IFR  aircraft  within  U.S.  airspace  at  all 
times.   This  means  that  the  airways  are  getting  more  crowded, 
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en  route  delays  will  become  more  frequent  and  last  longer, 
and  the  opportunities  for  collision  will  rise  accordingly. 

B.   MILITARY  AIRCRAFT  HAZARDS 

A  major  portion  of  military  flight  operations  occurs  in 
non-combat  conditions,  even  in  time  of  war.   The  previous 
discussion  concerning  civil  aircraft  hazards  applies  equally 
to  military  aircraft  in  these  conditions.   While  in  combat, 
the  military  pilot  must  also  cope  with  a  determined  enemy 
effort  to  shoot  him  down.    In  this  condition,  the  hazards 
can  be  of  either  external  or  internal  origin.   The  external 
hazards  are  provided  by  the  enemy  air  defense  system,  and  the 
internal  hazards  are  associated  with  task  overload. 

1 .   Sophistication  of  Air  Defense  Systems 

The  proliferation  of  air  defense  systems  which  have 
been  developed  to  counter  the  threat  of  aggressor  aircraft  is 
an  acknowledgement  of  the  potential  destructive  power  of 
these  aircraft.   With  each  gain  in  air  power  sophistication, 
there  has  been  an  effective  countermeasure  developed  to 
neutralize  it.   Today,  there  are  radar  directed,  high  kinetic 
energy  guns;  long  range  guided  surface-to-air  and  air-to-air 
missiles;   and  state-of-the-art  high  performance  fighter 
interceptors,  capable  of  engaging  multiple  targets 
simultaneously.   Still  under  development  are  directed  energy 
weapons,  using  high  power  lasers  and  particle  beams.   The 
list  is  endless,  and  the  combat  pilot  must  have  the  means  to 
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cope  with  these  threats  if  he  is  expected  to  perform 
effectively  and  repeatedly. 

2.   Sophistication  of  Aircraft 

Advances  in  technology,  particularly  in  the  last 
twenty-five  years,  have  nurtured  the  development  of  aircraft 
capable  of  extremely  complex  operations  under  extraordinary 
environmental  conditions  at  incredibly  high  speeds.   This 
sophistication  has  brought  two  disturbing  consequences.   The 
first  is  the  concurrent  improvements  in  air  defense  system 
technology,  discussed  above.   The  second  is  the  increasing 
probability  that  the  pilot  will  encounter  task  overloading 
during  critical  flight  phases,  resulting  in  a  fatal 
procedural  oversight.   The  number  of  cockpit  controls  and 
displays  has  increased  exponentially  since  the  1920s.   The 
result  is  a  'data  rich,  information  poor'  pilot,  who  must 
make  timely,  effective  use  of  it.   The  pilot  must  be 
constantly  cognizant  of  the  aircraft  health  status,  stores 
inventory,  navigational  position,  and  tactical  situation, 
while  simultaneously  flying  the  aircraft,  obtaining  a  fire 
control  solution,  selecting  munitions,  employing  air  defense 
countermeasures ,  evaluating  component  failure  consequences, 
and  updating  response  priorities.   Although  some  of  these 
tasks  are  currently  being  automated  to  some  degree,  the 
potential  for  pilot  overload  during  critical  mission  phases 
is  still  very  significant. 
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C.   HUMAN  PERFORMANCE 

Given  the  hazards  outlined  above,  the  capability  for 
rapid,  effective  action  to  prevent  or  minimize  critical 
component  loss  due  to  failure  or  damage  must  be  enhanced 
correspondingly.   Trained  professional  pilot  capabilities 
notwithstanding,  there  is  a  limit  to  the  number  and 
complexity  of  operations  that  a  person  can  perform  in  a  given 
amount  of  time.   Pilot  functional  overload  is  reached  when: 

(1)  Response  time  exceeds  safe  reaction  time  or; 

(2)  Reaction  complexity  exceeds  response 
capabilities . 

Human  capabilities  and  limitations  have  been 
characterized  by  the  Air  Force  Studies  Board.   Humans,  as  a 
system  component,  can  perform  numerous  mission  and  flight 
essential  functions  which  are  not  otherwise  possible.   They 
have  well  developed  perceptual  abilities,  including  visual 
and  aural  discrimination,  pattern  recognition,  and  speech 
comprehension.   They  are  capable  of  flexible  control,  in  that 
they  can  readily  invent  new  procedures  and  adapt  old  ones  to 
new  circumstances.   An  unavoidable  partner  to  this 
flexibility  is  a  requirement  for  motivation.   Humans  perform 
best  in  active,  mentally  stimulating  conditions,  thus  making 
them  poor  at  repetitive  tasking  and  watch-keeping.  [Ref.  6:p 
34] 

The  human  brain  possesses  limited  information  processing 
capabilities.   The  speed  at  which  data  can  be  absorbed, 
processed,  and  responded  to  is  finite,  and  can  not  be 
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appreciably  increased.   In  addition,  the  human  brain  is 
basically  a  serial  processor,  able  to  perform  multiple 
tasking  only  by  rapidly  switching  through  each  one.  [Ref.  6:p 
35] 

The  errors  associated  with  human  information  processing 
include  precision,  capture,  and  sequential  errors.   Precision 
errors  are  characterized  by  the  incorrect  identification  of  a 
state  among  many  similar  but  distinct  states.   Capture  errors 
occur  when  an  incorrect,  but  familiar  procedure  is  executed 
in  place  of  the  correct,  less  familiar  one.   Sequential 
errors  refer  to  the  improper  order  of  step  execution  for  a 
given  procedure.    The  number  and  severity  of  the  errors  go 
up  as  the  tasking  increases.  [Ref.  6:p  36] 
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III.  OBJECTIVE  :  AUTOMATE  AIRCRAFT  SURVIVABILITY 

MANAGEMENT 

Given  the  capabilities  and  limitations  of  human 
performance,  there  are  three  options  available  to  enhance 
pilot  effectiveness  during  critical  (high  workload)  flight 
phases : 

(1)  Improve  pilot  selection  and  training. 

(2)  Increase  the  crew  size. 

(3)  Build  'intelligent'  cockpits. 

Option  one  would  not  be  cost  effective,  because  the  calibre 
of  today's  trained  professional  pilot  is  probably  near  the 
peak  of  human  capability.   The  cockpit  workload  is  simply 
threatening  to  exceed  this  capability.   Option  two  has 
historically  provided  a  workload  reduction  by  delegation,  but 
there  are  several  disadvantages  associated  with  the 
additional  personnel.   For  example,  it  has  been  estimated 
that  each  additional  150-pound  person  in  the  cockpit  requires 
approximately  10,000  pounds  of  additional  support  equipment 
[Ref.  6: p.  36].   It  may  be  of  greater  importance  to  note 
that,  ironically,  the  additional  personnel  does  not  always 
provide  better  performance.   Complacency  can  compromise 
safety  in  a  multi-piloted  aircraft,  when  division  of  task 
load  is  not  clearly  defined.   Recent  design  philosophy  has 
shifted  to  one  man  operable  cockpits,  in  part,  for  these 
reasons.   Examples  include  the  F-16,  F/A-18,  F-20 ,  LHX ,  ATA, 
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ATF,  and  CASP .   Even  so,  the  Navy  is  now  studying  a  proposal 
by  McDonnell  Aircraft  Company  for  the  development  of  a  two 
seat  operational  version  of  the  F/A-18  [Ref.  7].   The 
justification  given  implies  that  the  additional  crewman 
provides  capabilities  not  otherwise  possible  with  the 
automation  technology  that  is  curently  available.  Regardless 
of  the  number  of  seats,  this  conventional  technology  provides 
the  pilot  (and  crew)  with  execution  aids  that,  as  opposed  to 
autonomous  employment  aids,  may  not  adequately  reduce  pilot 
tasking  in  critical  flight  phases.   Building  'intelligent' 
cockpits,  as  option  three  suggests,  could  theoretically 
provide  this  needed  reduction.   There  are  numerous  facets  of 
the  cockpit  environment  that  could  benefit  from  this  'built 
in'  intelligence,  but  this  thesis  is  concerned  with 
survivability.   Therefore,  consider  the  incorporation  of  a 
system  specifically  designed  to  actively  assist  the  pilot  in 
maximizing  the  aircraft's  survivability;  a  Survivability 
Manager. 

A.   THE  SURVIVABILITY  MANAGER 

Whether  civilian  or  military,  the  pilot  is  charged  with 
three  major  responsibilities.   In  descending  order  of 
importance,  they  are: 

(1)  Safety  of  personnel. 

(2)  Effective  employment  of  the  aircraft. 

(3)  Mission  objectives. 
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Any  attempt  to  improve  pilot  performance  must  be  measured 
against  his/her  success  in  meeting  these  goals.   The  most 
important  measure  of  this  success  is  survivability.   With  the 
advent  of  cockpit  automation,  pilot  performance  (and 
therefore  survivability)  has  increased  significantly.   A 
logical  next  step  is  to  automate  the  management  of 
survivability  features  and  equipment;  that  is,  give  the 
aircraft  a  Survivability  Manager  designed  to  actively  prevent 
or  minimize  any  flight  performance  degradation  that  might 
result  from  a  hazardous  situation. 

The  extensive  use  of  microprocessor  technology  in  modern 
aircraft  design  has  provided  subsystem  status  and  control  as 
a  base  on  which  to  build.   For  example,  most  automated 
systems  have  built-in-test  capabilities  that  self  diagnose 
functional  health.   These  data  bases  could  be  drawn  upon  by 
the  Survivability  Manager  to  monitor  aircraft  health  and 
performance  potential.   Since  many  of  these  same  subsystems 
are  also  computer  operated,  they  may,  in  theory,  be  managed 
by  a  computer  possessing  'quasi-human'  intelligence. 
Suppose,  for  example,  that  a  component  failure  is  detected. 
The  Survivability  Manager  would  selectivly  reconfigure  the 
remaining  operational  subsystems  to  functionally  replace  the 
failed  component.   The  pilot  has  historically  performed  the 
reconfiguration,  but  a  computer  with  a  modest  inference 
capability  could  also  do  it. 
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B.   AUTOMATION  GUIDELINES 

In  selecting  the  functions  to  be  automated,  careful 
consideration  must  be  given  to  the  amount  of  interaction 
desired  between  the  pilot  and  the  Survivability  Manager.   A 
strict  division  of  functional  responsibilities  is  not 
necessarily  desirable.   The  degree  of  automation  must  be 
carefully  considered  for  each  potential  application. 
According  to  Air  Force  studies  [Ref.  6: p.  39],  the  degree  of 
automation  employed  should  reflect  the  need  to: 

(1)  Reduce  excessive  workload. 

(2)  Reduce  errors. 

(3)  Improve  performance. 

(4)  Add  new  capabilities. 

Computers  will  never  be  truly  intelligent,  like  people. 
The  subtle  nuances  and  intuitive  creativity  of  the  human  mind 
are  beyond  the  physics  of  semiconductors.   It  is  therefore 
difficult  to  conceive  that  pilots  could  be  automated  out  of  a 
job  (the  limited  utility  of  remotely  piloted  vehicles  (RPV) 
notwithstanding).   However,  there  are  many  tasks  that 
computers  can  perform  as  well  as  or  better  than  people.   They 
can  complement  pilot  abilities  by  performing  routine  tasking 
or  watch-keeping.   In  addition,  they  can  supplement  or  extend 
pilot  abilities.   A  case  in  point  is  the  fly-by-wire  flight 
control  system  for  the  DARPA  X-29  forward  swept  wing 
aircraft.   The  dynamic  instability  of  the  aircraft  is  such 
that,  without  computer  control,  it  would  be  ripped  apart  in  a 
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fraction  of  a  second.   The  pilot  simply  can  not  react  quickly 
enough  or  precisely  enough  to  directly  control  the  aircraft. 

C.   LIMITATIONS  TO  CURRENT  AUTOMATION  METHODS 

Conventional  programming  logics  rely  on  exhaustive  search 
and  numeric  methods  to  solve  problems.   These  algorithms  are 
incredibly  fast  at  exceedingly  tedious  mathematical 
calculations,  making  them  effective  tools  for  automation  of 
routine  or  well  defined  tasks.   They  do  not  lend  themselves 
well  to  rational  processes,  where  non-numeric  facts  and 
constraints  must  be  considered.   The  conventional  language 
program  (such  as  FORTRAN)  possesses  a  rigid  response 
framework,  from  which  it  will  analyze  data  and  formulate 
results.   To  require  such  a  program  to  select  an  optimal 
solution  based  on  non-numeric  considerations  would  invariably 
invite  disaster.  What  is  required  is  a  pseudo-intelligent 
program,  one  that  can  reason  in  a  quasi-human  fashion;  hence 
the  term , "Artificial  Intelligence". 
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IV.  APPROACH  :  ENHANCE  SURVIVABILITY  WITH 
ARTIFICIAL  INTELLIGENCE 

Artificial  Intelligence  (AI)  can  be  loosely  defined  as 
the  condition  wherein  machines  think,  or  at  least  seem  to 
think,  like  people.   Specific  research  in  this  relatively  new 
field  of  study  includes  natural  language,  vision,  symbolics, 
robotics,  and  expert  systems.   Expert  systems,  also  referred 
to  as  knowledge  based  systems  (KBS),  are  the  AI  studies  to  be 
addressed  here.   These  systems  use  sophisticated  problem 
solving  techniques  and  vast  stores  of  knowledge  to  solve 
problems  that  conventional  programming  methods  can  not. 

A.   THE  KNOWLEDGE  BASED  SYSTEM 

In  order  to  build  knowledge  based  systems,  the  software 
engineer  must  first  be  aware  of  the  techniques  that  the  human 
mind  uses,  consciously  or  not,  to  attack  difficult  problems, 
and  the  reasoning  strategies  used  to  guide  the  search  for 
solution(s).   According  to  Lenat  [Ref.  8: p.  204],  humans 
solve  problems  by  applying  their  understanding  of  the 
regularities  of  the  solution  space  to  constrain  the  search. 
The  techniques  used  to  apply  this  understanding  include: 

1)  Formal  reasoning:  use  formal  logic  methods  such 
as  resolution  or  structural  induction. 

2)  Heuristic  reasoning:  use  statistical  probability 
methods  and  if-then  rules  of  thumb. 
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3)  Focus:  be  oriented  toward  specific  goals. 

4)  Divide  and  conquer:  break  up  a  complex  problem 
into  smaller,  simpler  problems. 

5)  Parallelism:  work  on  several  searches 
simultaneously. 

6)  Representation:  attack  the  problem  from 
several  different  perspectives. 

7)  Analogy:  recognize  the  similarities  of  a  new 
problem  to  an  old  one. 

8)  Synergism:  use  a  multitude  of  simple 
relationships  to  solve  a  complex  problem. 

9)  Serendipity:  gather  data  and  look  for  patterns. 
It  is  essential  to  incorporate  these  techniques  in  the 
construction  of  the  expert  system  if  it  is  to  succeed  at 
performing  intelligently,  but  it  is  not  sufficient.   There 
must  also  be  a  reasoning  strategy  that  guides  the  employment 
of  these  techniques.   The  two  most  common  reasoning 
strategies  are  forward  inferencing  and  backward  inferencing. 
In  forward  inferencing  the  attempt  is  made  to  reason  forward 
from  the  facts  to  a  solution.   In  backward  inferencing  the 
system  will  assume  a  solution  and  try  to  find  supporting 
evidence  from  the  facts. 

Assuming  that  the  KBS  is  constructed  to  employ  the 
requisite  reasoning  techniques  and  strategies,  it  must  also 
have  access  to  an  enormous  amount  of  basic  knowledge.   This 
knowledge  base  must  be  comprehensive  and  unpolluted  in  order 
to  prevent  deductive  errors.   Deductive  errors  include  errors 
of  omission  (a  known  fact  that  is  not  provided),  and  errors 
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of  commission  (information  input  that  is  inaccurate). 
Moreover,  there  is  a  fundamental  limitation  to  which  any 
logical  reasoning  process  is  subject:  insufficient  data.   In 
other  words,  if  "THIS  follows  from  THAT"  can  be  validated, 
then  the  system  will  answer  YES.   But  if  "THIS  does  not 
follow  from  THAT",  given  an  incomplete  knowledge  base,  the 
system  may  not  be  able  to  answer  NO.   In  order  to  obtain  a 
KBS  relatively  free  of  deductive  errors,  the  process  of 
acquiring  the  knowledge  from  domain  experts  must  be 
meticulous  and  exhaustive.   Current  techniques  for  knowledge 
acquisition  are  slow  and  painful,  and  if  AI  is  to  become 
truly  practical,  a  more  automatic  means  must  be  devised. 

When  the  rational  thought  processes  are  clearly 
understood,  the  software  engineer  can  then  begin  to  construct 
the  knowledge  based  system  (Figure  1).   Fundamentally,  this 
consists  of  a  knowledge  base  and  an  inference  engine  [Ref. 
9:pp.  22-23].   The  knowledge  base  is  the  store  of  facts  and 
rules,  provided  by  the  domain  expert,  which  pertain  to  the 
subject  of  interest.    The  inference  engine  performs  the 
actual  reasoning  process  using  a  combination  of  the  reasoning 
tools  and  strategies  described  above. 
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The  inference  engine  is  essentially  a  program  that  is 
capable  to  processing  symbols  that  represent  objects.   In 


Assertions  Question 


V  V 

[Knowledge  Base] >[Inference  Engine] 


V 
Answer ( s ) 


Figure  1 .   Knowledge  Based  System 

contrast  to  conventional  computer  applications,  where  symbols 
represent  numbers  and  mathematical  operations,  the  KBS  symbol 
can  represent  a  person,  process,  concept,  or  class  of 
objects.   The  knowledge  can  be  represented  in  several 
different  formats,  with  each  format  used  for  the  knowledge  it 
represents  best  [Ref.  10: p.  32]: 

(1)  Production  rules;  situation-action  or  premise- 
conclusion  rules  in  which  the  first  part  (antecedent) 
represents  some  pattern,  and  the  second  part 
(consequent)  represents  a  conclusion  to  be  drawn  when 
the  data  matches  the  pattern.   They  are  useful  in 
representing  procedural  knowledge. 

(2)  Semantic  networks;  taxonomic  scheme  wherein 
objects  are  nodes  and  relationships  are  links 
between  nodes.   They  are  useful  in  representing  object 
interrelationships . 

(3)  Frames;  format  in  which  objects  are  represented 
by  certain  standard  properties  and  by 

relationships  with  other  objects.   They  are  useful  in 
representing  large  amounts  of  knowledge  about 
object  properties  and  relations. 
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(4)  First  order  logic;  formal  method  of  representing 
logical  propositions  and  relationships  between 
propositions.   Useful  in  representing  knowledge 
in  explicit  terms. 

Ideally,  the  knowledge  would  be  encoded  within  the  knowledge 

base  in  the  format  that  provides  for  the  most  efficient 

utilization  for  the  current  problem. 

B.   A  SIMPLE  KBS  ILLUSTRATION 

A  practical  example  will  now  be  presented  to  illustrate 
the  applicability  of  the  KBS  to  aircraft  survivability.   The 
application  to  be  considered  incorporates  both  susceptibility 
reduction  and  vulnerability  reduction  logics  for  a  simplified 
twin-engine  aircraft  fuel  supply  system.   This  fuel  supply 
system  consists  of  identical  port  and  starboard  subsystems 
which  feed  the  port  and  starboard  engines,  respectively.   The 
primary  components  of  each  subsystem  include  a  feed  tank,  a 
transfer  tank,  and  an  external  tank.   The  susceptibility 
reduction  logics  seek  to  avoid  fuel  starvation,  through 
proper  management  of  the  available  fuel  supply.   The 
vulnerability  reduction  logics  seek  to  minimize  the  loss  of 
usable  fuel  due  to  component  failures.   The  domain  knowledge, 
which  is  encoded  into  the  knowledge  base,  will  be  partially 
represented  by  a  set  of  production  rules,  which  would  be 
provided  by  the  domain  expert  (in  this  case  the  fuel  system 
engineer).   In  this  example,  the  rules  may  be  divided  into 
two  groups;  declarative  rules  and  procedural  rules.   When  the 
declarative  rule  antecedent  conditions  are  satisfied,  the  SM 
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adds  the  consequent  to  the  knowledge  base  as  an  assertion. 
When  the  prcedural  rule  antecedent  conditions  are  satisfied, 
the  SM  performs,  or  advises  the  pilot  to  perform,  some 
action(s).  In  addition  to  the  production  rules,  the  knowledge 
base  also  contains  facts  that  represent  status  of  the  fuel 
supply  system's  critical  components.   These  component  status 
facts  are  continuously  updated  by  reports  from  appropriate 
sensors . 

In  a  situation  where  probabilities  must  be  considered, 
each  declarative  rule  antecedent  condition  would  be  'tagged' 
with  its  derived  probability.   The  probability  of  the 
consequent  would  then  be  computed  using  Bayes'  law  or  some 
other  formal  procedure  of  probability  theory.   For  this 
example,  all  probabilities  will  be  assumed  to  be  100  percent. 
In  the  following  list  of  rules,  the  local  variable  'X'  stands 
for  either  starboard  or  port,  and  is  necessarily  consistent 
only  within  a  given  rule.   The  local  variable  'Y'  always 
stands  for  the  opposite  to  the  value  of  local  variable  'X' . 
This  effectively  cuts  the  number  of  required  rules  in  half, 
with  a  corresponding  savings  in  required  memory.   A  (D)  is 
used  to  identify  a  declarative  rule,  and  a  (P)  identifies  a 
procedural  rule. 


RULES: 

(1)   IF  FUEL  FLOW  PRESSURE  TO  ENGINE  X  IS  HIGH,  THEN 

ENGINE  X  WILL  HAVE  SUFFICIENT  FUEL  TO  MEET  ENGINE  X 
DEMANDS.   (D) 
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(2)  IF  (FUEL  FLOW  PRESSURE  TO  ENGINE  X  IS  LOW)  AND 
(THROTTLE  X  IS  CHANGED  ABRUPTLY),  THEN  ENGINE 
X  WILL  CEASE  TO  FUNCTION.   (D) 

(3)  IF  FUEL  FLOW  PRESSURE  TO  ENGINE  X  IS  ZERO,  THEN 
ENGINE  X  WILL  CEASE  TO  FUNCTION.   (D) 

(4)  IF  (FUEL  IS  AVAILABLE  TO  ENGINE  X  BOOST  PUMP)  AND 
(ENGINE  X  BOOST  PUMP  FUNCTIONS),  THEN  FUEL   FLOW 

PRESSURE  TO  ENGINE  X  IS  HIGH.   (D) 

(5)  IF  (FUEL  IS  AVAILABLE  TO  ENGINE  X  BOOST  PUMP) 
AND  (ENGINE  X  BOOST  PUMP  FAILS  FREE),  THEN  FUEL 
FLOW  PRESSURE  TO  ENGINE  X  IS  LOW.   (D) 

(6)  IF  (FUEL  IS  NOT  AVAILABLE  TO  ENGINE  X  BOOST 
PUMP)  OR  (ENGINE  X  BOOST  PUMP  FAILS  FROZEN), 
THEN  FUEL  FLOW  PRESSURE  TO  ENGINE  X  IS  ZERO.   (D) 

(7)  IF  (FUEL  IS  AVAILABLE  TO  FIREWALL  SHUTOFF  VALVE  X)  AND 
(FIREWALL  SHUTOFF  VALVE  X  IS  OPEN),  THEN  FUEL  IS 
AVAILABLE  TO  ENGINE  X  BOOST  PUMP.   (D) 

(8)  IF  (FUEL  IS  NOT  AVAILABLE  TO  FIREWALL  SHUTOFF  VALVE  X) 
OR  (FIREWALL  SHUTOFF  VALVE  X  IS  CLOSED),  THEN  FUEL  IS 
NOT  AVAILABLE  TO  ENGINE  X  BOOST  PUMP.   (D) 

(9)  IF  (ENGINE  X  BOOST  PUMP  FAILS  FROZEN)  OR  (FEED  TANK  X 
EJECTOR  PUMP  IS  CLOGGED)  OR  (ENGINE  X  FUEL  DEMAND  IS 
ZERO),  THEN  CLOSE  FIREWALL  SHUTOFF  VALVE  X.   (P) 

(10)  IF  (FEED  TANK  X  QTY  IS  NOT  ZERO)  AND  (FEED 
TANK  X  EJECTOR  PUMP  IS  CLEAR),  THEN  FUEL  IS 
AVAILABLE  TO  FIREWALL  SHUTOFF  VALVE  X.   (D) 

(11)  IF  (FEED  TANK  X  QTY  IS  ZERO)  OR  (FEED  TANK  X 
EJECTOR  PUMP  IS  CLOGGED),  THEN   FUEL  IS  NOT 
AVAILABLE  TO  FIREWALL  SHUTOFF  VALVE  X.   (D) 

(12)  IF  (FEED  TANK  X  FUEL  QTY  IS  LESS  THAN  MINIMUM)  AND 
(FIREWALL  SHUTOFF  VALVE  X  IS  OPEN),  THEN  (OPEN  FEED 
TANK  INTERCONNECT  VALVE)  AND  (FLY  WINGS  LEVEL).   (P) 

(13)  IF  (FEED  TANK  X  QTY  IS  FULL)  AND  (FUEL  CAN  NOT  BE 
TRANSFERRED  FROM  EXTERNAL  TANK  X  OR  TRANSFER  TANK  X 
TO  FEED  TANK  X),  THEN  CLOSE  THE  FEED  TANK 
INTERCONNECT  VALVE.   (P) 

(14)  IF  (TRANSFER  TANK  X  EJECTOR  PUMP  FUNCTIONS)  AND 
(TRANSFER  TANK  X  QTY  IS  NOT  ZERO),  THEN  FUEL  IS 
TRANSFERRED  FROM  TRANSFER  TANK  X  TO  FEED  TANK  X.   (D) 
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(15)  IF  (FEED  TANK  X  IS  FULL)  AND  (FUEL  IS 
TRANSFERRED  FROM  EXTERNAL  TANK  X  OR  TRANSFER 
TANK  X  OR  FEED  TANK  Y  TO  FEED  TANK  X),  THEN 
EXCESS  FUEL  IS  VENTED  TO  TRANSFER  TANK  X.   (D) 

(16)  IF  (TRANSFER  TANK  X  QTY  IS  ZERO)  OR  ((EJECTOR  PUMP 
FAILS)  AND  (TRANSFER  TANK  X  CHECK  VALVES  FAIL 
CLOSED)),  THEN  FUEL  CAN  NOT   BE  TRANSFERRED  FROM 
TRANSFER  TANK  X  TO  FEED  TANK  X.   (D) 

(17)  IF  (EXTERNAL  TANK  X  QTY  IS  NOT  ZERO)  AND  (THE 
EXTERNAL  TANK  PRESSURIZATION  VALVE  IS  OPEN), 
THEN  FUEL  IS  TRANSFERRED  FROM  EXTERNAL  TANK  X 
TO  FEED  TANK  X.   (D) 

(18)  IF  (EXTERNAL  TANK  X  QTY  IS  ZERO)  OR  (THE  EXTERNAL 
TANK  PRESSURIZATION  VALVE  FAILS  CLOSED),  THEN  FUEL 
CAN  NOT  BE  TRANSFERRED  FROM  EXTERNAL  TANK  X  TO  FEED 
TANK  X.   (D) 

(19)  IF  EXTERNAL  TANK  X  QTY  IS  GREATER  THAN  ZERO  AND  LESS 
THAN  TRANSFER  TANK  X  (CAPACITY  MINUS  QTY),  THEN  OPEN 
EXTERNAL  TANK  PRESSURIZATION  VALVE.   (P) 

(20)  IF  (EXTERNAL  TANK  X  QTY  PLUS  EXTERNAL  TANK  Y  QTY  IS 
ZERO)  AND  (THE  EXTERNAL  TANK  PRESSURIZATION  VALVE  IS 
OPEN),  THEN  CLOSE  THE  EXTERNAL  TANK  PRESSURIZATION 
VALVE.   (P) 

(21)  IF  (FEED  TANK  INTERCONNECT  VALVE  IS  OPEN)  AND 
(WING  X  IS  LOWER  THAN  WING  Y) ,  THEN  FUEL  IS 
TRANSFERRED  FROM  FEED  TANK  Y  TO  FEED  TANK  X.   (D) 

(22)  IF  (FEED  TANK  INTERCONNECT  VALVE  IS  CLOSED)  OR  (FEED 
TANK  Y  QTY  IS  ZERO)  OR  (WING  Y  IS  LOWER  THAN  WING  X) 
OR  (FEED  TANK  X  AND  TRANSFER  TANK  X  QTY  IS  FULL), 
THEN  FUEL  CAN  NOT  BE  TRANSFERRED  FROM  FEED  TANK  Y  TO 
FEED  TANK  X.  (D) 

(23)  IF  FUEL  TANK  X  INTEGRITY  IS  SEALED,  THEN  FUEL  TANK  X 
WILL  HOLD  UP  TO  FUEL  TANK  X  CAPACITY  UNTIL  SUCH  FUEL 
IS  TRANSFERRED  OUT  OF  FUEL  TANK  X.   (D) 

(24)  IF  (EXTERNAL  TANK  X  IS  RUPTURED)  AND  (EXTERNAL 
TANK  X  QTY  IS  NOT  ZERO),  THEN  OPEN  THE 
EXTERNAL  TANK  PRESSURIZATION  VALVE.   (P) 

(25)  IF  (TRANSFER  TANK  X  IS  RUPTURED)  AND  (FUEL  CAN  BE 
TRANSFERRED  FROM  EXTERNAL  TANK  X  OR  TRANSFER  TANK  X 
TO  FEED  TANK  X),  THEN  (OPEN  THE  FEED  TANK 
INTERCONNECT  VALVE)  AND  (FLY  WING  Y  DOWN).   (P) 
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FACTS: 

1)  RH  EXTERNAL  TANK  QTY  IS  (ZERO/PARTIAL/FULL). 

2)  LH  EXTERNAL  TANK  QTY  IS  (ZERO/PARTIAL/FULL). 

3)  RH  TRANSFER  TANK  QTY  IS  (ZERO/PARTIAL/FULL). 

4)  LH  TRANSFER  TANK  QTY  IS  (ZERO/PARTIAL/FULL). 

5)  RH  FEED  TANK  QTY  IS  ( ZERO/MIN/PARTIAL/FULL ) . 

6)  LH  FEED  TANK  QTY  IS  (ZERO/MIN/PARTIAL/FULL). 

7)  RH  EXT  TANK  INTEGRITY  IS  (SEALED/RUPTURED). 

8)  LH  EXT  TANK  INTEGRITY  IS  (SEALED/RUPTURED). 

9)  RH  TRANS  TANK  INTEGRITY  IS  (SEALED/RUPTURED). 

10)  LH  TRANS  TANK  INTEGRITY  IS  (SEALED/RUPTURED) 

11)  RH  FEED  TANK  INTEGRITY  IS  (SEALED/RUPTURED). 

12)  LH  FEED  TANK  INTEGRITY  IS  (SEALED/RUPTURED). 

13)  RH  ENGINE  BOOST  PUMP  IS 
(FROZEN/FREE/FUNCTIONAL) . 

14)  LH  ENGINE  BOOST  PUMP  IS 
(FROZEN/FREE/FUNCTIONAL) . 

15)  RH  FEED  TANK  EJECTOR  PUMP  IS 
(CLOGGED/CLEAR) . 

16)  LH  FEED  TANK  EJECTOR  PUMP  IS 
(CLOGGED/CLEAR) . 

17)  RH  TRANSFER  TANK  EJECTOR  PUMP  IS 
(CLOGGED/CLEAR) . 

18)  LH  TRANSFER  TANK  EJECTOR  PUMP  IS 
(CLOGGED/CLEAR) . 

19)  FEED  TANK  INTERCONNECT  IS  (CLOSED/OPEN). 

20)  RH  FIREWALL  SHUTOFF  VALVE  IS  (CLOSED/OPEN). 

21)  LH  FIREWALL  SHUTOFF  VALVE  IS  (CLOSED/OPEN). 

22)  EXTERNAL  TANK  PRESSURIZATION  VALVE  IS 
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(CLOSED/OPEN) . 
(23)   RH  WING  IS  (HIGHER/LOWER)  THAN  LH  WING. 

Consider  the  knowledge  base  above.   The  SM's  function, 
with  regard  to  the  fuel  supply  system,  is  to  ensure  that  fuel 
is  available  to  meet  engine  demands  as  long  as  possible.  This 
maintained  availability  is  the  desired  goal  state  toward 
which  the  SM  must  constantly  strive.   It  is  therefore  logical 
to  use  a  backward  inferencing  strategy  to  achieve  this  goal 
state.   As  an  initial  state,  suppose  all  components  are 
functioning  correctly  (as  would  normally  be  the  case),  and 
that  all  six  fuel  tanks  are  full  of  fuel.   The  SM  will  be 
monitoring  both  port  and  starboard  fuel  supply  subsystems 
simultaneously.   If  the  fuel  supply  to  the  starboard  engine 
is  of  current  interest,  then  'X'  corresponds  to  starboard, 
and  ' Y'  corresponds  to  port.   Starting  with  the  consequent  of 
Rule  1  (i.e.  ENGINE  X  WILL  HAVE  SUFFICIENT  FUEL  TO  MEET 
ENGINE  X  DEMANDS)  as  the  hypothetical  result,  the  inference 
engine  attempts  to  satisfy  the  conditions  of  the  antecedent 
(i.e.  FUEL  FLOW  PRESSURE  TO  ENGINE  X  IS  HIGH).   It  searches 
the  knowledge  base  for  a  sequence  of  actions,  combined  with 
current  facts,  that  will  culminate  in  the  maintenance  of 
these  conditions. 

Although  the  fuel  flow  pressure  is  in  fact  already  high 
in  the  initial  state,  it  is  not  guarenteed  to  stay  high. 
Therefore,  the  SM  continuously  cycles  through  the  knowledge 
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base,  searching  for  a  sequence  of  actions  to  take  that  will 
ensure  that  the  fuel  flow  pressure  remains  high  for  as  long 
as  possible.   In  this  way,  the  SM  finds  that  the  consequent 
of  Rule  4  satisfies  the  antecedent  of  Rule  1;  that  Fact  13 
(functional  boost  pump)  and  the  consequent  of  Rule  7  combine 
to  satisfy  the  antecedent  of  Rule  4;  that  Fact  20  (open 
firewall  shutoff  valve)  and  the  consequent  of  Rule  9  combine 
to   satisfy  the  antecedent  of  Rule  7;  and  finally,  that  Fact 
5  (full  feed  tank)  and  Fact  20  (clear  ejector  pump)  combine 
to  satisfy  the  antecedent  of  Rule  9.   Thus  the,  initial  state 
conditions  (facts)  are  sufficient  to  achieve  the  goal  state 
conditions  (hypothesis),  as  long  as  the  initial  conditions 
due  not  change.   However,  conditions  must  change;  fuel  must 
flow. 

As  the  feed  tank  fuel  is  transferred  to  the  engine,  the 
transfer  tank  automatically  replenishes  the  feed  tank,  via 
the  transfer  tank  ejector  pump  and  check  valves  (Rule  14). 
This  transfer  rate  is  greater  than  any  engine  demand  rate 
possible,  and  the  excess  is  vented  back  into  the  transfer 
tank  (Rule  15).   All  of  this  happens  without  SM  intervention. 
The  SM  will  intervene  only  when  procedural  rules  are  fired 
(i.e.  the  antecedent  is  satisfied). 

When  the  quantity  of  fuel  in  the  transfer  tank  plus  the 
quantity  of  fuel  in  the  external  tank  is  less  than  the  fuel 
capacity  of  the  transfer  tank,  the  antecedent  of  Rule  19  is 
-satisfied  and  the  SM  directs  that  the  external  tank 
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pressurization  valve  be  open.   If  completed,  this  action  is 
reflected  by  a  change  in  Fact  22  (pressurization  valve  open) 
which,  along  with  Fact  1  (external  tank  full),  satisfies  Rule 
17.   Rule  17  then  'asserts'  that  fuel  is  transferred  from  the 
external  tank  to  the  feed  tank.   Finally,  by  Rule  15,  the 
transfer  tank  is  replenished  until,  by  Rule  20,  the  external 
tank  pressurization  valve  is  closed. 

Now,  suppose  that  the  starboard   transfer  tank  begins  to 
lose  fuel  and  that  the  appropriate  sensor  reports  this 
failure.   Ideally,  the  sensor  would  report  the  failure  cause, 
mode,  and  degree.   In  this  example,  the  mode  is  reported  to 
be  a  loss  of  usable  fuel,  the  cause  might  be  projectile 
penetration,  and  the  degree  might  be  a  gallon  per  minute. 
Although  the  cause  and  degree  of  the  fuel  loss  may  not  be 
easily  assessed,  knowledge  of  the  failure  mode  supplies 
sufficient  data  for  the  SM  to  attempt  to  minimize  the 
degradation  of  fuel  system  performance.   Rule  25  is  fired  by 
the  reported  failure,  causing  the  SM  to  direct  the  opening  of 
the  feed  tank  interconnect  valve  and  the  lowering  of  the  left 
wing.   These  actions  update  Fact  19  (interconnect  open)  and 
Fact  23  (left  wing  down),  which  allows  fuel  to  be  transferred 
to  the  port  fuel  tanks.   This  action  conserves  fuel  that 
would  otherwise  be  lost  via  the  leaking  tank.   When  the 
starboard  feed  tank  quantity  drops  below  a  predefined 
minimum,  Rule  12  is  fired,  which  allows  the  port  feed  tank  to 
refill  the  starboard  feed  tank.   When  the  starboard  feed  tank 
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is  again  filled,  Rule  13  is  fired,  which  prevents  fuel  from 
being  vented  back  into  the  ruptured  tank.   The  SM  will  then 
cycle  between  Rule  12  and  Rule  13  until  a  new  fact  fires  some 
other  rule(s)  into  action. 

This  example  has  been  oversimplified  in  the  interest  of 
brevity  and  clarity.   Obviously,  there  are  other  effects  to 
consider,  such  as  fire  hazards  or  significant  structural 
damage,  associated  with  the  damage/failure  processes  that  led 
to  the  loss  of  integrity  of  the  starboard  fuel  transfer  tank. 
In  addition,  the  remedial  actions  taken  must  be  weighed 
against  possible  adverse  affects  on  the  performance  of  other 
systems.   In  this  case,  the  flight  control  system  may  not  be 
able  to  trim  out  the  lateral  weight  imbalance  resulting  from 
the  fuel  redistribution  from  the  starboard  wing  to  the  port 
wing.   It  is  assumed  that  the  knowledge  base  would  be 
comprehensive  enough  to  enable  the  SM  to  foresee  and  resolve 
such  conflicts,  within  the  paramount  constraint  to  sustain 
controlled  flight  as  long  as  possible. 
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V.   AI  APPLICATIONS  TO  AIRCRAFT  SURVIVABILITY 

Aircraft  combat  survivability  enhancement  studies 
emphasize  the  needs  of  the  military  aircraft  in  combat 
conditions.   Specifically,  they  seek  to  prevent  enemy  air 
defenses  from  engaging  friendly  aircraft  (susceptibility 
reduction)  and/or  limit  the  damaging  effects  of  such 
engagements  ( vulnerabilty  reduction).   However,  these  studies 
are  not  exclusively  applicable  to  military  aircraft  in  combat 
conditions.   For  example,  the  development  of  collision 
avoidance  equipment  for  civil  aircraft  is  also  an  application 
of  susceptibility  reduction  principles.   Similarly, 
vulnerability  reduction  studies  are  relevant  to  all  aircraft, 
in  that  they  are  concerned  with  component  failures  which  may 
or  may  not  be  the  result  of  damage  that  is  intentionally 
inflicted.   Whether  the  aircraft  is  civil  or  military, 
artificial  intelligence  will  have  widespread  application 
assisting  the  pilot  in  managing  the  systems  involved.   With  a 
Survivability  Manager  on  board,  the  pilot  will  be  free  to 
concentrate  on  flight  safety  and  mission  objectives. 

A.   SUSCEPTIBILITY  REDUCTION 

1 .   Military  Aircraft 

There  are  six  general  concepts  which  can  be  employed  to 
reduce  the  susceptibility  of  military  aircraft  to  combat 


38 


damage:  threat  warning,  noise  jammers  and  deceivers, 
signature  reduction,  expendables,  threat  suppression,  and 
tactics  [Ref.  l:pp.  198-221].   All  of  them  can  be  enhanced  to 
some  degree  by  AI  management. 

a.  Threat  Warning 

Any  on  board  equipment  that  senses  and  analyzes 
enemy  electromagnetic  emissions  must  make  this  data  useful  to 
the  pilot.   Simply  inundating  him/her  with  nonprioritized  and 
possibly  extraneous  data  may  well  serve  to  lessen  his/her 
effectiveness,  rather  than  increase  it.   He/she  is  primarily 
concerned  with  the  enemy's  tracking,  illuminating,  and 
guidance  emitters,  and  he/she  must  react  to  these  emitters  in 
the  order  of  descending  response  urgency.   AI  is  capable  of 
servicing  these  requirements.   In  addition,  the  emitter 
classification  and  status  determination  can  clearly  benefit 
from  AI ' s  ability  to  draw  logical  inferences  from  bodies  of 
evidence  of  various  levels  of  abstraction  inherently 
containing  some  degree  of  uncertainty. 

b.  Noise  Jammers  and  Deceivers 

Timely  and  effective  employment  of  these 
electromagnetic  countermeasures  devices  is  dependent  on 
careful  consideration  of  the  dynamic  tactical  environment  in 
which  the  aircraft  is  operating.   Obviously,  this  is  an  area 
where  the  pilot  could  use  an  'assistant'  to  suggest  or 
actively  control  such  employments.   The  Survivability  Manager 
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could  provide  this  assistance,  given  that  it  has  access  to  a 
knowledge  base  describing  the  tactical  environment. 

c.  Signature  Reduction 

The  aircraft  signature  includes  radar  cross 
section,  infrared  radiation,  visible  and  acoustic  emissions, 
and  electromagnetic  emissions  from  active  sensors  and 
communications  equipment.   The  state  of  current  technology 
could  provide  the  pilot,  and  so  the  SM,  with  signature 
reduction  features  that  give  some  control  over  the  magnitude 
of  these  detectable  emissions.   For  example,  an 
electromagnetic  (EM)  emitter  master  disable  switch  could  be 
provided,  to  effect  total  EM  silence  instantly  on  demand. 
The  optimum  utilization  of  these  features  can  be  suggested, 
or  autonomously  effected,  by  a  properly  programmed  SM. 

d.  Expendables 

Arguments  identical  with  item  (b). 

e.  Threat  Suppression 

This  refers  to  actively  neutralizing  the  threat 
through  weapons  employment.   Although  AI  would  undoubtedly 
find  application  with  offensive  tactical  weapons  employment, 
it  is  an  entire  study  in  itself,  and  will  not  be  pursued 
here. 

f.  Tactics 

Tactics  refer  to  the  way  in  which  the  aircraft  is 
employed  in  combat.   An  example  of  a  tactic  used  to  reduce 
aircraft  susceptibility  is  to  fly  an  aircraft  profile  that 
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will  minimize  the  exposure  time  to  the  threat.   The  SM  could 
suggest  defensive  tactics  if,  as  assumed  in  item  (b),  it  has 
access  to  knowledge  bases  concerned  with  the  mission 
requirements  and  the  tactical  environment. 

g.   Integrated  Features 

The  greatest  potential  will  be  achieved  with  a 
Survivability  Manager  designed  to  use  an  integrated  systems 
approach.   For  example  the  data  from  threat  warning  devices 
could  be  analyzed  to  allow  maximum  effectiveness  in  the 
various  countermeasures  employments.   In  addition,  the 
information  could  be  presented  so  as  to  suggest  defensive 
maneuvers  (tactics)  that  would  give  the  threat  emitters  the 
widest  possible  berth. 

2 .   Civil  Aviation  Aircraft 

Most  of  the  susceptibility  reduction  techniques  apply 
only  in  man-made  hostile  environments.   Threat  warning  stands 
out  as  the  notable  exception  when  the  term  'threat'  includes 
those  which  are  non-military.   Within  this  definition, 
threats  include  environmental  extremes,  material  failures, 
and  human  errors . 

a.   Environmental  Extreme 

Currently,  most  of  the  information  that  is 
provided  to  the  pilot  concerning  environmental  extremes 
comes,  if  at  all,  from  sources  outside  of  the  aircraft. 
These  sources  include  pref light  weather  briefs,  in  flight 
updates  from  Flight  Service  Stations,  and  Pilot  Reports. 
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Weather  radars  are  the  only  widely  available  on  board  device 
capable  of  warning  of  weather  hazards,  and  they  are  limited 
to  the  detection  of  thunderstorms  and  heavy  precipitation. 
The  development  of  aircraft  wind  shear  detection  systems  will 
provide  a  real  time  alert  for  wind  shear  hazards,  allowing 
the  pilot  to  better  prepare  for  their  effects.   The  sensor 
data  could  also  be  fed  to  the  SM,  which  could  then  suggest 
(if  not  execute,  in  time  critical  situations)  steps  to  avoid 
or  withstand  the  threat.   Like  the  pilot,  the  SM  will  be  most 
effective  when  the  aircraft  sensors  can  provide  a  nearly 
complete  picture  of  the  external  environment, 
b.   Material  Failure 

Component  material  failures  generally  can  not  be 
accurately  predicted  in  flight.   Either  they  are  long  term 
phenomena,  monitored  by  sophisticated  ground  maintenance 
equipment  and  replaced  well  before  failure  occurs,  or  they 
fail  too  rapidly  to  allow  any  pilot  warning.   However,  there 
are  situations  where  appropriate  action  can  be  taken  in 
flight  to  avoid  specific  component  failures.   For  example, 
strain  gages  might  be  placed  at  strategic  stress  points  in 
the  wing  structure.   The  data  from  these  sensors  could  be 
compared  with  known  structural  strength  limits  to 
conitnuously  update  the  ' g'    load  limits.  In  the  event  of 
unavoidable  overstress  conditions  or  structural  damage,  the 
pilot  would  have  a  means  to  asses  the  new  'g'  load  that  may 
be  safely  applied  to  the  aircaft.   This  principle  of  health 
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awareness  can  be  applied  throughout  the  aircraft,  giving  the 
SM  the  means  to  monitor  the  material  strenth  of  major  load 
bearing  components  and  to  take  steps  to  prevent  them  from 
failing. 

c.   Human  Error 

The  threat  of  human  error  is  probably  the  hardest 
to  detect,  due  to  the  complex  and  unpredictable  nature  of  the 
human  mind.   Nevertheless,  many  errors  can  be  detected  in  the 
period  after  commission  and  prior  to  any  irreversible 
consequences.   Since  pilot  error  is  the  most  often  cited 
cause/factor  in  accident  investigation  reports,  it  may  be 
inferred  that  the  complacent  and/or  inexperienced  pilot  is 
currently  the  most  serious  threat  to  aviation  safety.   Though 
no  amount  of  assistance  can  replace  good  judgment  or 
professional  airmanship,  a  timely  caution  might  have  saved 
many  competent  pilots  from  their  one  fatal  mistake.   An  SM 
programmed  to  monitor  normal  and  emergency  procedures,  with 
status  sensor  relays  from  the  controls  involved,  could  warn 
against,  if  not  actively  prevent,  such  procedural  blunders. 
This  is  a  logical  sophistication  of  the  warning,  caution,  and 
advisory  lights,  which  are  designed  as  procedural  decision 
aids  for  the  pilot. 

B.   VULNERABILITY  REDUCTION 

Vulnerability  reduction  features  attempt  to  minimize  the 
degradation  of  aircraft  performance  as  the  result  of  combat 
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damage.   There  are  six  general  concepts  used  in  the  design  of 
these  features  [Ref.  l:pp.  269-306]: 

(1)  Component  redundancy  (with  separation). 

(2)  Component  location. 

(3)  Component  shielding. 

(4)  Component  elimination. 

(5)  Passive  damage  suppression. 

(6)  Active  damage  suppression. 

Although  designed  specifically  for  the  reduction  of 
vulnerable  area  presented  to  a  combat  damage  mechanism,  these 
concepts  may  be  applied  to  aircraft  vulnerability  reduction 
for  threats  in  general.   Most  of  the  vulnerability  reduction 
techniques  are  hardware  design  options,  and  do  not  lend 
themselves  to  direct  pilot  (or  SM)  control.   The  exceptions 
are  active  damage  suppression  and  component  redundancy, 
seperately  or  in  combination. 

Active  damage  suppression  features  reduce  vulnerability 
by  containing  or  minimizing  the  terminal  effects  of  a  damage 
mechanism  to  a  critical  component,  contingent  upon  detection 
of  those  terminal  effects  by  an  appropriate  sensor.   For 
example,  the  penetration  (the  terminal  effect)  of  an  engine 
lube  oil  sump  (the  critical  component)  by  a  blast  generated 
fragment  (the  damage  mechanism)  will  lead  to  the  eventual 
seizure  of  the  engine.   The  engine  oil  pressure  guage 
indicates  the  resulting  loss  in  oil  pressure,  allowing  the 
pilot  to  preemptively  secure  the  engine.   Although  the  engine 
is  functionally  lost  in  either  case,  the  difference  in  pilot 
action  could  make  the  difference  in  surviving  the  loss. 
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Component  redundancy  is  achieved  when  the  flight 
essential  function  (eg.  lift,  thrust,  or  control)  that  a 
component  is  designed  to  provide  is  preserved,  even  after  the 
functional  loss  of  that  component.  Ideally  there  will  be 
several  alternative  components,  or  groups  of  components, 
which  are  capable  of  performing  the  same  essential  function. 
This  critical  component  redundancy  may  be  physical  or 
functional,  partial  or  total,  concurrent  or  contingent.   If 
it  is  contingent,  there  must  be  some  controlling  mechanism 
that  will  sense  the  failure  and  subsequently  activate  the 
redundancy.   In  its  simplest  form,  the  redundancy  activation 
mechanism  can  be  reflexive,  as  in  the  deployment  of  a  ram  air 
turbine  when  total  loss  of  electrical  power  is  sensed  by  a 
solenoid.   This  technique  is  of  limited  application  where  the 
complexity  and  degree  of  degradation  require  careful 
consideration  in  the  context  of  the  current  operational 
environment.   For  example,  consider  a  Navy  tactical  aircraft 
making  a  field  recovery.   Failure  of  the  landing  gear 
breaking  system  during  the  landing  roll  may  dictate  either  a 
long  field  arrestment  or  a  go-around  to  a  short  field 
arrestment.  Automatically  lowering  the  arresting  hook  upon 
break  failure  is  not  an  appropriate  remedy,  and  could  in  fact 
lead  to  disasterous  consequences.   In  such  cases,  a  more 
sophisticated  mechanism  is  required  to  activate  the 
redundancy.   This  sophistication  can  be  provided  by  either 
the  pilot  or  the  Survivability  Manager. 
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The  principles  of  component  redundancy  and  active  damage 
suppression  can  be  applied  together  to  synergistically 
improve  aircraft  survivability.   For  example,  a  redundant 
control  rod  that  is  jammed  (the  terminal  effect),  as  a  result 
of  blast-generated  fragment  impact  (the  damage  mechanism), 
could  be  disengaged  from  the  control  linkage  by  means  of  an 
override  switch  (the  active  damage  suppression  feature). 
Once  the  jammed  component  is  correctly  identified  by  the 
appropriate  sensor,  the  pilot  or  the  SM  could  disengage  the 
jammed  rod  (active  damage  suppression)  and  engage  the 
remaining  functional  rod  (component  redundancy). 

The  most  productive  method  for  determining  the  functional 
redundancies  available  for  a  particular  aircraft  design  is  to 
refer  to  its  critical  component  analysis.   Specifically,  the 
kill  tree  (or  kill  expression)  provides  a  clear  presentation 
of  these  relationships,  for  a  given  kill  level  (i.e.  degree 
of  performance  degradation),  in  a  given  flight  phase  (eg. 
take  off,  climb  out,  en  route  cruise,  etc. ).   The  task  of 
developing  the  knowledge  base  for  the  Survivability  Manager's 
vulnerability  reduction  logics  can  be  further  simplified  by 
encoding  the  failure  modes  and  effects  analysis  (FMEA)  along 
with  the  fault  tree  analysis  (FTA)  conducted  for  that 
aircraft  into  the  knowledge  base.   When  thoroughly  performed, 
this  study  reveals  not  only  the  result  of  a  particular 
component  failure  but  also  any  backup  systems  capable  of 
performing  its  function.   This  information,  along  with 
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component  functional  status,  comprises  the  necessary  data 
required  by  the  inference  engine  to  correctly  deduce  and 
compensate  for  the  failed  component. 

C.   RELATED  RESEARCH 

1.   Pilot's  Associate  (PA) 

Underwritten  by  the  Defense  Advanced  Research 
Projects  Agency  (DARPA)  through  its  Strategic  Computing 
Program  (SCP),  the  Pilot's  Associate  is  being  developed  by 
the  Air  Force's  Wright  Aeronautical  Laboratory  (AFWAL). 
Essentially,  it  is  expected  to  assist  the  single  seat  fighter 
pilot  by  providing  'phantom  flight  crew'  (i.e.  copilot, 
weapon  system  operator,  navigator,  and  flight  engineer) 
expertise  in  both  critical  and  non-critical  situations. 
Initially,  it  will  consist  of  four  interactive  expert  systems 
[Ref .  ll:pp  8-12] : 

(1)  A  Situation  Assessment  Manager  to  assess  the 
external  environment  as  well  as  internal 
resources . 

(2)  A  Tactical  Planning  Manager  to  recommend  optimum 
tactical  employment  of  the  aircraft,  given 
mission  objectives  and  restrictions. 

(3)  A  Mission  Planning  Manager  to  refine  and 
redefine  mission  objectives,  given  current 
situation,  command,  and  intelligence  inputs. 

(4)  A  System  Status  Manager  to  monitor  and  diagnose 
total  system  health   and  current/projected 
status  of  all  on-board  systems. 

The  Survivability  Manager  proposed  in  this  thesis  is 

partially  assimilated  to  different  degrees  by  each  of  the 
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PA's  four  defined  managers.   If  it  were  included  as  a 
separate  manager,  it  would  interact  with  the  other  'managers' 
to  provide  the  pilot  with  an  assistant  whose  primary  purpose 
is  to  manage  the  lower  level  survivability  decision 
processes . 

2.  Self -Repairing  Flight  Control  System  (S/R  FCS1 

This  is  another  AFWAL  research  project.   The  S/R  FCS 
will  maintain  post  failure  flight  stability  in  fly  by  wire 
(FBW)  flight  controls  by  reconfiguring  the  multiple 
redundancies  in  control  surfaces.   Current  FBW  aircraft  do 
not  have  this  capability  to  recognize  and  account  for 
structual  damage  through  modification  of  the  control  laws 
that  govern  FBW  operation  [Ref.  12:pp  4-8].   Although 
originally  developed  for  use  in  the  Advanced  Tactical  Fighter 
(ATF),  the  principles  would  apply  to  all  future  combat 
aircraft  and  may  even  find  limited  applicability  in 
retrofitting  existing  models.   The  SM  could  provide  the  S/R 
FCS  with  the  functional  status  of  the  various  flight  control 
components,  so  that  raconf iguration  may  be  as  smooth  and 
effective  as  possible. 

3.  Fully  Automatic  Digital  Engine  Control  ( FADEC ) 
Under  development  at  the  Naval  Weapons  Center,  a 

major  goal  of  the  FADEC  program  is  to  significantly  reduce 
engine  vulnerability  by  fully  automating  the  regulation  of 
engine  controls.   Given  a  thrust  requirement  from  the  pilot, 
the  system  would  adjust  the  control  configuration  to  provide 
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optimum  (post-battle-damage)  performance.  Algorithms  are 
being  developed  to  make  the  appropriate  adjustments,  once  the 
trouble  has  been  identified  [Ref.  13].   AI  will  undoubtedly 
provide  the  means  to  make  the  identification,  based  on 
available  sensor  data. 

4 .  Computerized  Automatic  Test  Equipment 
Conducted  by  the  Navy  Research  Laboratory,  the 

investigation  centers  around  the  development  of  a  computer 
generated  testing  strategy  leading  to  implementation  of 
software  for  Built-in-Test  (BIT)  equipment  [Ref.  14:p.  67]. 
This  would  provide  the  SM  with  a  fault  detection/isolation 
capability  enabling  rapid  evaluation  and  reconfiguration  of 
functional  subcomponents. 

5 .  Collision  Avoidance  System  (CAS) 

On  board  collision  avoidance  systems  are  currently 
being  independently  developed  by  several  avionics  firms  to 
give  pilots  advance  warning  in  situations  where  collision 
with  other  aircraft  is  imminent.   The  CAS  uses  a  miniaturized 
version  of  the  ground  based  air  traffic  control  radar  which 
interrogates  transponder  equipped  aircraft  (most  are)  in  the 
vicinity  for  barometric  altitude.   This  information,  along 
with  accurate  range  and  bearing  information  provided  by  the 
radar  itself,  is  used  to  predict  collision  hazards  [Ref. 
15"-pp  48-53].   There  are  various  schemes  used  to  advise  the 
pilot  of  these  hazards  and  to  suggest  avoidance  maneuvers, 
but  none  use  AI .   Certainly,  such  a  system  could  be 
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integrated  with  the  SM  to  subtly  initiate  the  avoidance 
maneuvers  even  before  the  pilot  is  aware  of  the  hazard. 

6 .  Terrain  Avoidance  Radar 

These  radars  are  sophisticated  versions  of  the  simple 
radar  altimeter  which  is  found  on  all  IFR  certified  aircraft. 
In  both  cases,  their  function  is  to  provide  accurate  ground 
clearance  information.   This  information  is  analyzed  by 
either  the  pilot  or  the  automatic  pilot,  in  terrain  following 
or  terminal    approach  evolutions.   It  could  also  be  made 
available  to  the  SM  as  a  backup  monitor  to  warn  against,  and 
possibly  prevent,  unintentional  collision  with  the  ground  or 
water. 

7 .  Wind  Shear  Detection  and  Alerting  System 
Built  by  Sperry  Corporation  as  a  part  of  the 

Performance  Management  System  ( PMS )  and  currently  under 
company  evaluation,  this  system  senses  significant  changes  in 
horizontal  and  vertical  relative  wind  velocity  (wind  shear) 
and  alerts  the  pilot  with  advisory  lights,  so  that 
appropriate  compensation  can  be  initiated  well  before  the 
pilot  could  otherwise  detect  the  hazard  [Ref.  16:pp.  30].   By 
feeding  this  information  directly  to  the  autopilot,  the  SM 
could  initiate  corrective  action  even  sooner. 

8 .  Integrated  Electronic  Warfare  System  (INWES) 

The  INWES  program  is  expected  to  enhance  aircraft 
survivability  by  providing  crew  members  with  eloctro-optical 
and  elctromagnetic  threat  warning  and,  if  required,  indicate 
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an  appropriate  countermeasure  response.   Weapon  system 
synergism  is  effected  by  using  information  provided  by  other 
on  board  sensors  and  subsystems,  such  as  communications, 
navigation,  and  external  sensors  [Ref.  17:pp.  31-34].   INWES 
primary  processing  is  an  obvious  candidate  for  KBS 
application. 
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VI.  DESIGN  REQUIREMENTS 

Given  the  benefits  of  a  Survivability  Manager  in  the 
cockpit  to  assist  the  pilot  in  survivability  management,  the 
most  challenging  task  to  be  undertaken  (aside  from  funding) 
is  the  actual  design  and  construction  of  the  SM.   The  first 
step  towards  this  goal  is  to  define  exactly  what  functions 
the  SM  is  expected  to  perform.   Once  this  is  done,  it  remains 
to  determine  whether  the  required  hardware,  software,  and 
sensors  exist  in  practical  form.   If  not,  is  the  technology 
available  to  fabricate  them?   Finally,  the  system  must  be 
tailored  to  the  specific  systems  and  physical  constraints  of 
its  parent  aircraft. 

A.   FUNCTIONAL  REQUIREMENTS 

In  order  to  define  the  functional  requirements  for  the 
SM,  it  is  useful  to  first  characterize  the  pilot's  duties  and 
responsibilities  with  regard  to  survivability.   The  pilot 
might  be  considered  a  physician  of  sorts,  and  his  aircraft  a 
patient.   He  must  constantly  be  aware  of  the  health  of  his 
aircraft.   He  must  rapidly  and  accurately  diagnose  any 
problems  and  prescribe  a  suitable  remedy.   Of  course,  a  real 
doctor  would  have  the  benefit  of  easy  access  to  exhaustive 
reference  material,  as  well  as  the  invaluable  'second 
opinion'  from  other  doctors.   With  the  advent  of  AI ,  the 
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physician  has  also  been  given  the  means  to  obtain  this  second 
opinion  from  a  machine.   MYCIN  is  an  example  of  such  a 
medical  expert  system,  one  that  is  concerned  with  blood 
infections  and  meningitis  infections.   Via  interactive 
consultation,  the  doctor  inputs  the  symptoms  and  vital 
statistics,  and  MYCIN  produces  a  diagnosis  and  recommends 
appropriate  therapy  [Ref.  18: pp.  39-44].   Clearly,  this 
Survivability  Manager  for  people  can  find  useful  application 
to  aircraft,  with  an  appropriate  knowledge  base.   The  major 
difference  is  that  the  health  would  be  directly  monitored  by 
the  SM. 

The  Survivability  Manager  can  be  designed  to  perform  a 
myriad  of  tasks  which  would  otherwise  require  excessive  pilot 
action  or  consideration.   Regardless  of  the  scope  of 
involvement,  the  system  must  accomplish  its  tasking  in  five 
basic  phases:  monitor,  predict,  detect,  analyze,  and  respond. 

1 .   Monitor  Aircraft  Health  and  External  Environment 

The  human  brain  can  not  reason  without  data,  and  the 
expert  system  is  no  different  in  this  respect.   They  both 
require  a  nervous  system,  with  suitable  internal  and  external 
environment  sensors,  to  gather  and  convey  this  data.   In  the 
cockpit,  the  data  required  can  be  obtained  either  by  direct 
sensor  relay,  or  indirectly  by  subsystem  self -diagnostics 
polling. 

External  sensors  provide  the  data  required  by  the 
susceptibility  reduction  logics  to  forecast  external  hazards. 
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Examples  include  radar  altimeter  and  collision  avoidance 
radar.   Internal  sensors  can  be  further  subdivided  into 
susceptibility  reduction  sensors  and  vulnerability  reduction 
sensors.   Susceptibility  reduction  sensors  are  concerned  with 
control  and  actuator  position  reporting,  providing  positive 
feedback  while  monitoring  normal  and  emergency  procedures. 
If  critical  steps  are  omitted  or  transposed,  susceptibility 
goes  up  for  the  hazards  these  procedures  are  established  to 
avoid.   Vulnerability  reduction  sensors  report  component 
and/or  subsystem  failure  mode  and  degree.   A  complete, 
current  picture  of  aircraft  health  is  required  for 
vulnerability  reduction  logics  to  determine  the  most 
effective  subsystem  reconfiguration  possible. 
2 .   Predict  Hazards 

The  susceptibility  reduction  logics  rely  on  external 
and  internal  sensors  to  provide  thedata  pertaining  to 
proximity  to  hazardous  conditions.   To  be  effective,  these 
logics  must  be  able  to  deduce  the  hazard  well  before  it 
precipitates  any  component  failures.   This  requires  a 
cause-and-ef f ect  reasoning  capability  which  the  expert  system 
can  theoretically  supply.   By  extrapolation,  the  hazard  may 
be  argued  to  include  equipment  malfunction  and  pilot 
oversight.   For  example,  a  combat  aircraft  executing  covert 
ingress  to  the  target  may  unintentionally  be  radiating  some 
form  of  electromagnetic  energy.   Note  that,  in  this  example, 
the  logics  must  be  cognizant  of  the  flight  mission  and  phase. 
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This  would  suggest  an  interface  with  the  'mission  manager  of 
the  Pilot's  Associate  program,  under  development  at  the  Air 
Force  Wright  Aeronautial  Laboratory. 

3.  Detect  and  Isolate  Failures 

When  a  hazard  can  not  be  avoided,  its  damaging 
affects  must  be  sensed  before  suitable  vulnerability 
reduction  measures  can  be  applied.   Failure  mode  and  degree 
must  be  accurately  reported  to  ensure  the  widest  possible 
range  of  corrective  actions  available.   Failure  mode  is  the 
nature  of  functional  degradation,  while  failure  degree  is  the 
measure  of  its  completeness.   For  example,  a  failure  mode  for 
an  engine  may  be  a  partial  loss  of  thrust  with  a  degree  of 
eighty-five  percent  maximum  rated  thrust  available.   The 
precise  determination  of  the  mode  and  degree  of  component 
failures  requires  a  high  degree  of  sensor  sophistication  and 
proliferation.   Fortunately,  most  subsystems  in  modern 
aircraft  are  constructed  with  built-in-test  circuits  which 
can  provide  the  bulk  of  this  information.   The  remainder  will 
have  to  be  gathered  by  sensors  designed  for  specific 
survivability  applications.   For  example,  sensors  designed  to 
report  structural  removal  and  over-stress  conditions  would 
prove  invaluable  in  real  time  determination  of  performance 
limits . 

4 .  Determine  Optimal  Response 

In  a  multi-factored  scenario,  such  as  an  aircraft  in 
flight,  there  can  be  several  plausible  alternatives  to  act 
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upon  at  any  given  decision  point.   Only  one  can  be  selected, 
and  a  great  deal  of  time  can  not  be  consumed  in  the 
selection.   A  knowledge  based  system  with  sufficient  memory 
available  can,  in  theory,  identify  and  explore  each  viable 
alternative  and  present  them  to  the  pilot.   Further,  it  can 
prioritize  the  list  by  optimal  consistancy  with  flight  safety 
and  mission  objectives.   This  is  the  essence  of  the  utility 
of  the  expert  system  in  survivability  enhancement;  the 
ability  to  determine  the  best  course  of  action  based  on  the 
analysis  of  internal  and  external  data,  given  pre-defined 
non-numeric  constraints. 
5 .   Advise  or  Act 

Once  presented  with  the  various  alternatives,  the 
pilot  may  or  may  not  choose  to  act  on  the  one  that  the  expert 
system  suggests.   His  decision  would  be  based  on  factors  it 
has  not  been  provided  for  consideration.   For  example,  the 
pilot  may  be  the  lead  in  a  two  plane  flight,  in  which  case 
the  impact  of  his  actions  on  his  wingman  must  be  considered. 
Conversely,  it  is  conceivable  that  the  situation  may  dictate 
an  immediate  response  to  prevent  a  catastrophic  failure.   A 
case  in  point  is  a  sudden  wind  shear  during  final  approach, 
resulting  in  excessive  vertical  drop.   A  properly  programed 
expert  system  with  suitable  control  interfaces  could  initiate 
compensation  procedures  well  before  the  pilot  could  react, 
increasing  the  chances  of  surviving  the  hazard. 
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Clearly,  an  enable  switch  must  be  provided  to  give  the 
pilot  the  prerogative  to  allow  the  expert  system  to  act 
autonomously.   Further,  the  pilot  should  be  able  to  select 
the  type  and  degree  of  autonomous  tasking  that  the  expert 
system  is  allowed  to  perform.   In  any  case,  the  SM  must 
inform  the  pilot  of  any  actions  taken. 

B.   SYSTEMS  REQUIREMENTS 

Today,  the  AI  discipline  is  largely  within  the  pure 
research  stages,  with  a  limited  number  of  systems  thus  far 
developed  for  solving  problems  of  modest  complexity. 
However,  enough  is  known  to  estimate  general  system 
requirements  for  an  expert  system  for  practical  applications. 

1 .   Hardware 

The  Survivability  Manager  must  be  able  to  react  in 
real  time  to  a  dynamic,  complex  set  of  internal  and  external 
conditions.   This  equates  to  a  need  for  extremely  high  speed 
processors  and  access  to  very  large  memories, 
a.   Processors 

The  so-called  'super  computers',  employing  the 
conventional  Von  Neumann  serial  processing  architecture,  are 
being  built  with  clock  cycle  times  close  to  their  minimum 
useful  limit.   Since  an  electrical  pulse  can  only  travel  .3 
meters  in  a  nanosecond,  the  clock  rate  is  beginning  to 
constrain  the  very  size  of  the  computer.   And  yet,  a 
nanosecond  may  not  be  small  enough  in  a  serial  processor  for 


57 


the  enormous  number  of  inferences  per  second  required  of  an 
SM  of  modest  capability.   Goodyear  Aerospace's  Massively 
Parallel  Processor  (MPP)  is  an  example  of  a  new  approach  to 
this  problem,  one  that  may  prove  both  faster  and  cheaper 
[Ref.  19: pp.  20-28].   The  MPP  design  is  essentially  a 
physical  representation  of  the  'parallelism'  problem  solving 
technique  listed  in  Chapter  VI.    By  building  a  system  with 
hundreds,  or  even  thousands,  of  processors  which  operate 
independently,  the  solution  space  search  can  theoretically  be 
completed  in  a  corresponding  fraction  of  the  time.   However, 
there  are  some  major  obstacles  to  the  development  of  parallel 
processing  machines  for  practical  AI  applications.   For 
example,  processor  interconnections  and  memory  access  schemes 
must  provide  for  efficient  use  of  available  processing 
capabilities.   Moreover,  some  means  must  be  devised  to  break 
down  the  problem  and  equitably  distribute  the  pieces, 
b .   Memory 

It  has  been  said  that  knowledge  is  power,  and 
this  is  painfully  evident  to  expert  systems  engineers.   They 
have  found  that  the  size  of  the  knowledge  base  is  even  more 
important  than  the  efficiency  of  the  inference  engine.   DARPA 
has  estimated  that  a  10,000  rule  expert  system  is  the  minimum 
size  that  could  have  practical  military  applications.   Most 
currently  operational  expert  systems  have  fewer  than  500 
rules.   The  implication  is  that  massive  memory  facilities 
must  be  accessible  to  the  SM,  facilities  that  are  not 
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currently  available.   The  current  expert  system  computer 
architecture  utilizes  an  18  bit  address,  providing  a  maximum 
of  262,144  addresses.   The  32  bit  address  computer,  providing 
for  a  maximum  of  4.3  billion  addressable  memory  locations,  is 
seen  as  the  logical  choice  for  future  expert  systems. 
2 .   Software 

The  expert  system  can  not  be  efficiently  programmed 
using  a  conventional  language,  such  as  FORTRAN  or  PASCAL.   To 
fill  this  need,  declarative  languages  have  been  developed 
specifically  for  KBS  applications.   Currently,  the  two  most 
widely  used  expert  system  programming  languages  are  "LISt 
Processing"  (LISP)  and  "PROgramming  in  LOGic"  (PROLOG).   Both 
of  these  languages  are  effective  building  tools,  but  there 
are  significant  differences.   LISP  is  useful  because  it 
manages  data  structures  easily,  and  its  programs  can 
manipulate  other  programs,  but  it  has  no  tools  for  logic 
programming.   PROLOG  is  useful  because  it  is  essentially  a 
compiler  into  which  the  user  merely  inputs  the  encoded 
knowledge  base.   The  usual  programming  skills  are  not 
required.   However,  this  ease  of  implementation  is  also  a 
disadvantage,  because  it  allows  no  efficient  mechanism  for 
closely  controlling  a  procedural  activity.    The  KBS  language 
of  the  future  will  undoubtedly  attempt  to  assimilate  the  best 
of  both  languages. 
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3 .  Knowledge  Acquisition 

This  is  the  greatest  single  challenge  to  the 
realization  of  the  SM.   The  SM  must  have  access  to  properly 
encoded  domain  knowledge,  and  lots  of  it.   Although  there  is 
no  shortage  of  aircraft  systems  expertise,  getting  this 
knowledge  into  a  form  that  is  useful  to  an  expert  system  is 
an  extremely  tedious,  and  not  always  successful,  process. 
Researchers  have  found  that  often  times  a  domain  expert  (eg. 
the  pilot)  may  not  be  able  to  explain  his/her  reasoning  in  a 
particular  situation,  though  he/she  is  unerring  in  his/her 
assessment . 

4 .  Data  Acquisition 

Although  domain  knowledge  is  essential  to  the 
operation  of  the  SM ,  it  will  be  of  no  value  to  the  pilot  if 
it  can  not  be  applied  to  his  current  situation.   The  SM  must 
also  be  able  to  sense  the  internal  health  and  status  of  the 
aircraft  systems,  as  well  as  the  external  environment.   This 
can  be  accomplished  through  distributed  resource  sharing  with 
the  dedicated  microprocessors  in  the  various  aircraft 
functional  subsystems,  or  by  direct  sensor  relay. 

a.   Resource  Sharing 

Most  of  the  major  systems  in  current  commercial 
and  military  aircraft  models  have  imbedded  mircroprocessors 
that  automate  the  operation  of  those  systems  for  the  pilot. 
The  system  status  reports  they  receive  from  the  components 
they  control  could  theoretically  be  passed  to  the  SM.   The 
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physical  interconnection  scheme  used  to  accomplish  this 
transfer  must  account  for  the  differences  in  architecture 
between  the  processors  involved, 
b.   Dedicated  Sensors 

If  resource  sharing  is  not  feasible  or  system 
status  reports  are  otherwise  not  available  for  critical 
components,  then  sensors  must  be  fitted  to  the  components; 
sensors  that  report  directly  to  the  SM.   Precise  functional 
information  may  be  required  (i.e.  failure  cause,  mode,  and 
degree),  which  then  requires  a  corresponding  sophistication 
in  sensor  design. 

C.   COMPATIBILITY  CONSIDERATIONS 

Assuming  that  it  is  possible  to  build  a  competent 
Survivability  Manager  KBS ,  one  of  the  last  major  design  tasks 
is  to  build  it  within  the  physical  constraints  of  the  parent 
aircraft.   This  requirement  is  at  odds  with  the  systems 
requirements.   To  limit  the  acceptable  volume  and  weight 
allocation  necessarily  limits  the  maximum  processing  and 
memory  storage  capabilities.   Of  course,  this  is  a  problem 
for  avionics  in  general. 

1 .   Integration  with  Projected  Aircraft 

In  keeping  with  the  philosophy  that  survivability 
should  be  designed  in  and  not  just  added  on,  it  is  obvious 
that  the  Survivability  Manager  will  be  most  successful  when 
it  can  be  incorporated  into  the  earliest  stages  of  the  parent 
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aircraft's  development.  This  is  especially  important  for  the 
SM,  because  it  must  be  able  to  sense  the  functional  health  of 
the  aircraft  in  depth. 

2 .   Retrofit  with  Existing  Aircraft 

Existing  aircraft  may  not  be  operational  by  the  time 
a  working  SM  of  practical  importance  is  finally  available. 
Should  major  breakthroughs  in  research  (funding)  occur,  it 
will  be  extremely  costly  to  effectively  integrate  the  SM  with 
these  aircraft.   It  may  even  be  too  late  for  next  generation 
aircraft,  such  as  the  ATA  and  the  ATF.   This  because  the 
intimate  interfacing  that  must  be  considered  in  the  design 
now  can  not  rely  on  AI  practical  success  later  on. 
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VII.  SUMMARY  AND  CONCLUSIONS 

A.   SUMMARY 

In  spite  of  intensive  safety  engineering  and  well 
developed  flight  procedures,  civil  aircraft  survivability  is 
challenged  by  the  hazards  associated  with  the  modern 
operational  flight  environment.   For  the  military  aircraft 
that  is  operating  in  a  man-made  hostile  environment,  these 
hazards  are  compounded  by  hazards  which  are  specifically 
intended  for  the  destruction  of  aircraft.   Regardless  of  the 
type  of  mission  to  be  flown,  the  primary  responsibility  of 
the  pilot  is  the  safe,  effective  employment  of  the  aircraft, 
and  his/her  performance  is  seriously  degraded  by  these 
hazards.   U.  S.  National  Transportation  Safety  Board 
statistics  reveal  a  general  decline  in  civil  aircraft 
accidents  in  the  last  decade,  but  there  are  still  too  many, 
and  a  large  portion  of  these  accidents  can  be  at  least 
partially  attributable  to  pilot  error.   Statistics  for 
military  flight  mishaps  show  a  similar  pattern.   Pilot  error 
is  often  the  result  of  task  overload  conditions.   This 
conclusion  is  based  on  the  fact  that  most  accidents  occur 
during  critical  flight  phases  when  the  pilot  task  load  is 
greatest . 

Conventional  task  load  reduction  practices  seek  to 
enhance  aircraft  survivability  by  automating  the  execution  of 
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pilot-selected  aircraft  system  functions.   Although  this 
automation  allows  the  pilot  to  manage  several  of  the  aircraft 
systems  simultaneously,  it  can  lead  to  a  'data  rich  - 
information  poor'  cockpit  if  the  number  or  complexity  of  the 
systems  involved  is  great.   This  data  rich  condition  will  in 
fact  decrease  the  aircraft's  survivability  if  the  pilot 
commits  a  procedural  error  while  sorting  through 
nonprioritized  and/or  extraneous  data.   It  is  clear  that 
relegation  of  task  management,  as  well  as  simplification  of 
task  execution,  is  required  to  effectively  reduce  pilot 
workload  during  critical  flight  phases.   If  larger  crews  or 
improved  pilot  capabilities  are  not  feasible  approaches  for 
enhanced  task  management  ,  then  the  avionics  engineer  must 
build  'intelligent'  sytems  that  can  manage  themselves.   These 
automated  Survivability  Managers  (SM)  would  monitor  aircraft 
health  and  the  external  environment,  and  react  to  recognized 
hazards  in  ways  that  complement  or  even  supplement  pilot 
capabilities . 

Knowledge  based  systems  (KBS),  which  are  considered 
studies  within  the  field  of  artificial  intelligence  (AI),  are 
ideally  suited  to  provide  the  pilot  with  an  automated 
Survivability  Manager.   The  KBS  relys  on  sophisticated 
problem  solving  techniques  and  vast  stores  of  domain-specific 
knowledge  to  solve  problems  that  conventional  language 
programs  can  not  solve.   The  conventional  programming 
languages  (e.g.  FORTRAN)  rely  on  numeric  methods  to  solve 
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problems  and  can  not  efficiently  handle  problems  involving 
non-numeric  relationships.   In  contrast,  the  declarative 
languages  used  in  knowledge  based  systems  can  employ 
human-like  reasoning  techniques  and  strategies. 
Conceptually,  the  KBS  consists  of  a  knowledge  base  and  an 
inference  engine.   The  knowledge  base  contains  the  domain- 
specific  knowledge  (provided  by  domain  experts)  required  to 
solve  domain-specific  problems.   The  inference  engine 
performs  the  actual  reasoning  process  by  employing  some 
suitable  combination  of  reasoning  techniques  and  strategies. 
The  application  of  KBS  principles  to  survivability  management 
is  illustrated  in  Chapter  IV,  using  a  hypothetical  engine 
fuel  supply  system  as  a  working  example. 

Once  the  KBS  capabilities  are  understood,  the 
applications  to  survivability  enhancement  are  readily 
apparent.   In  a  military  aircraft,  the  Survivability  Manager 
could  detect,  analyze,  classify,  and  respond  to  threat 
emitters  and  propagators  through  the  integrated  management  of 
the  available  susceptibility  reduction  features  and 
equipment.   In  a  civil  aircraft,  susceptibility  reduction 
would  be  accomplished  by  pooling  the  external  and  internal 
sensor  resources  to  prevent  damage  due  to  environmental 
extremes,  material  overstresses ,  and  human  errors.   The  SM 
can  assist  with  vulnerability  reduction  in  both  civil  and 
military  aircraft  through  control  of  active  damage 
suppression  and/or  component  redundancy  features.   The 
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development  of  the  SM  can  draw  upon  the  efforts  of  the 
Pilot's  Associate,  the  Self -Repairing  Flight  Control  System, 
the  Fully  Automatic  Digital  Engine  Conrol  system,  and  several 
other  related  research  projects. 

The  SM  can  be  designed  to  manage  a  number  of  distinct 
aircraft  survivability  enhancement  operations,  but  in  all 
cases  this  management  must  be  performed  in  five  basic  phases: 

(1)  Monitor  aircraft  health,  and  the  external  environment. 

(2)  Predict  hazards. 

(3)  Detect  and  isolate  failures. 

(4)  Determine  the  optimal  response. 

(5)  Advise  the  pilot,  or  act  autonomously. 

Aside  from  these  functional  requirements,  there  are  systems 
requirements  that  must  be  considered  by  the  SM  designer. 
Processing  speed  must  be  fast  enough  to  allow  the  SM  to  react 
immediately  to  real  or  perceived  hazards.   Memory  storage 
space  must  be  sufficient  to  include  the  enormous  amount  of 
knowledge  needed.   The  programming  language  should  allow  for 
ease  of  knowledge  infusion,  yet  be  flexible  enough  to  apply  a 
number  of  reasoning  techniques  and  strategies.   Systems 
status  data  must  be  made  accessible  via  resource  sharing  and 
dedicated  sensors.   Finally,  the  system  must  fit  gracefully 
into  the  parent  aircraft,  preferably  during  the  early 
aircraft  design  stages. 
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B.   CONCLUSIONS 

1 .  Feasibility 

The  knowledge  based  system  is  an  emerging  technology. 
The  KBS  has  already  been  proven  in  small  scale  applications, 
and  has  even  begun  to  enjoy  significant  commercial 
development.   Although  a  system  which  is  large  enough  to 
accomodate  a  Survivability  Manager  with  modest  capabilities 
(on  the  order  of  10,000  rules)  has  yet  to  be  built,  the 
potential  certainly  exists.   Of  course,  the  first  such  system 
may  not  fit  into  a  C-5's  cargo  bay,  let  alone  an  F/A-18's 
avionics  suite.   But  even  the  single  seat  fighter  pilot  will 
one  day  realize  the  benefits  of  an  intelligent  cockpit.   The 
capability  for  relegating  lower  level  management  processes  is 
sorely  needed  now,  especially  during  the  task-load-saturated 
critical  flight  phases.   Through  AI ,  the  Survivability 
Manager  will  meet  this  challenge,  but  only  after  intensive 
research  and  development  efforts. 

2 .  Recommendations  for  Further  Research 

There  are  a  number  of  studies  which  must  be  conducted 
to  further  investigate  the  feasability  of  building  a 
Survivability  Manager.   Although  these  studies  will  rely  on 
basic  AI  research,  they  should  be  centered  on  the  specific 
needs  of  the  intelligent  cockpit.   The  first  study  might 
consist  of  defining  a  modest  200  rule  KBS  for  an  isolated 
system  in  an  actual  aircraft,  such  as  the  F/A-18  power  plant. 
The  aircraft's  critical  component  analysis  along  with  the 
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flight  systems  manual  will  provide  an  excellent  source  of 
basic  knowledge  for  this  purpose.   Next,  the  method  of 
representing  the  knowledge  in  the  knowledg  base  must  be 
considered.   This  entails  selection  of  the  hardware  and 
software  to  host  the  expert  system.   This  selection  will  be 
limited  by  available  assets.   Once  the  knowledge  has  been 
properly  encoded,  a  harness  must  be  constructed  to  simulate 
the  various  aircraft  health  status  inputs  required  by  the  SM 
prototype.   Finally,  the  system  should  be  tested  using 
realistic  performance  and  failure  data  from  the  actual 
aircraft.   The  SM  prototype  can  then  be  tested  under  various 
simulated  adverse  conditions  to  assess  and  refine  the 
correctness  and  timeliness  of  its  responses.   These  studies 
will  not  be  conclusive,  but  they  should  be  indicative  of  the 
promise  of  AI  for  enhanced  aircraft  survivability. 
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APPENDIX  A  (GLOSSARY) 


ACTIVE  DAMAGE  SUPPRESSION-   An  aircraft  vulnerability 
reduction  technique,  wherein  damage  is  sensed  and 
subsequently  minimized  or  contained  through  activation  of  one 
or  more  devices. 

AIRCRAFT  COMBAT  SURVIVABILITY-   The  ability  of  an  aircraft  to 
avoid  or  withstand  (damage  caused  by)  a  man-made  hostile 
environment. 

AIRCRAFT  COMBAT  SUSCEPTIBILITY-   The  inability  of  an  aircraft 
to  avoid  (damage  caused  by)  a  man-made  hostile  environment. 

AIRCRAFT  COMBAT  VULNERABILITY-   The  inability  of  an  aircraft 
to  withstand  (damage  caused  by)  a  man-made  hostile 
environment. 

AIRCRAFT  HEALTH-   The  functional  condition  of  the  aircraft, 
measured  by  its  operational  performance  capabilities,  and 
dependent  on  the  functional  condition  of  its  systems  and 
system  components. 

AIRCRAFT  SURVIVABILITY-   The  ability  of  an  aircraft  to  avoid 
or  withstand  (flight  performance  degradation  caused  by)  a 
hazardous  situation. 

AIRCRAFT  SUSCEPTIBILITY-   The  inability  of  an  aircraft  to 
avoid  (flight  performance  degradation  caused  by)  a  hazardous 
situation. 

AIRCRAFT  VULNERABILITY-   The  inability  of  an  aircraft  to 
withstand  (flight  performance  degradation  caused  by)  a 
hazardous  situation. 

ARTIFICIAL  INTELLIGENCE-   The  condition  where  machines  mimic 
human  rational  thought  processes. 

BACKWARD  INFERENCING-  A  reasoning  strategy  wherein  a  solution 
to  a  problem  is  assumed  and  a  search  for  supporting  evidence 
is  then  pursued  sequentially  backwards  to  the  known  facts. 

COMPONENT  REDUNDANCY-   A  vulnerability  reduction  technique 
wherein  a  function  can  be  performed  by  more  than  one 
component  or  groups  of  components. 

CRITICAL  COMPONENT-   A  component  which  makes  a  necessary 
contribution  to  the  performance  of  a  flight  essential 
function.   The  loss  of  a  redundant  critical  component  will 
not  neccessarily  result  in  a  loss  of  a  flight  essential 
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function,  whereas  the  loss  of  a  non-redundant  critical 
component  will  always  result  in  the  loss  of  a  flight 
essential  function. 

CRITICAL  FLIGHT  PHASE-   A  portion  of  the  flight  in  which  the 
aircraft  is  especially  susceptible  to  hazardous  situations. 

DOMAIN  EXPERT-  A  person  that  is  recognized  as  an  authority 
in  the  specific  subject  of  interest  and  from  whom  knowledge 
is  acquired  for  a  knowledge  based  system. 

DOMAIN  KNOWLEDGE-   The  knowledge  that  an  expert  in  the 
subject  of  interest  provides  to  the  KBS. 

EXPERT  SYSTEM-   See  KNOWLEDGE  BASED  SYSTEM 

FAILURE  CAUSE-   A  primary  event  which  significantly 
contributed  to  the  failure  mode  of  a  component. 

FAILURE  DEGREE-   The  extent  or  completeness  to  which  a 
component's  performance  has  been  functionally  degraded. 

FAILURE  MODE-   The  nature  of  a  component  failure.   For 
example,  a  control  rod  may  be  either  severed  or  jammed. 

FAILURE  MODES  AND  EFFECTS  ANALYSIS  (FMEA)-  A  procedure  that 
(1)  identifies  and  documents  all  possible  failure  modes  of  a 
component  or  subsystem,  and  (2)  determines  the  effect  of  each 
failure  mode  upon  the  capability  of  the  system  or  subsystem 
to  perform  its  essential  functions. 

FLIGHT  ESSENTIAL  FUNCTION-   A  system  or  subsystem  function 
required  to  enable  the  aircraft  to  sustain  controlled  flight. 

FORWARD  INFERENCING-   A  reasoning  strategy  wherein  a  search 
for  a  problem  solution  is  conducted  sequentially  from  the 
known  facts . 

INFERENCE  ENGINE-   The  construct  within  the  KBS  that  performs 
the  reasoning  process. 

INSTRUMENT  FLIGHT  RULES  (IFR)-   FAA  supervised  flight 
procedures  wherein  the  aircraft  route,  altitude,  and  airspeed 
is  dictated  by  ground  controllers. 

KNOWLEDGE  BASED  SYSTEM  (KBS)-   A  computer  system  that  uses 
sophisticated  non-numeric  problem  solving  techniques  and  vast 
stores  of  knowledge  to  solve  problems  beyond  the  reach  of 
conventionally  programmed  computers. 
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KNOWLEDGE  BASE-   The  construct  within  the  KBS  that  contains 
the  encoded  domain  knowledge. 

MAN-MADE  HOSTILE  ENVIRONMENT-   Flight  conditions  that  are 
hazardous  to  flight  safety  due  to  the  intentional  employment 
of  destructive  man-made  devices. 

SURVIVABILITY  MANAGER-   A  knowledge  based  system  designed  to 
assist  the  pilot  in  the  management  of  the  aircraft's 
survivability  features  and  equipment. 

VISUAL  FLIGHT  RULES  (VFR)-   Flight  procedures  wherein  the 
pilot  is  solely  responsible  for  the  safe  conduct  of  the 
flight  and  is  not  under  direct  ground  supervision. 
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